Hi, I currently have Traefik running on docker, and setup to retrieve certificates from Letsencrypt using Cloudflare as the cert resolver. I am able to successfully get a wild card certificate for my main domain (.mydomain.com), but I am unable to get one for a subdomain (.local.mydomain.com), but there is also no error in the logs so Im not really sure whats going on. Below are my docker-compose and config files. This setup was working on another machine untill I decided to migrate everything to a new server and completly restructure my homelab as I was not happy with the previous configuration.
docker-compose.yml:
version: '3'
services:
traefik:
container_name: traefik
image: traefik:2.6
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
- 8080:8080 # Dashboard port
volumes:
- /home/user/Docker/traefik/volume:/etc/traefik/
networks:
- proxy
labels:
- "traefik.enable=true" # Enable Traefik reverse proxy for the Traefik dashboard.
# https
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.api.entryPoints=https" # Traefik entry point.
- "traefik.http.routers.api.rule=Host(`local.mydomain.xyz`)" # subdomain for the traefik dashboard.
# wildcard certs
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=local.mydomain.xyz"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.mydomain.xyz"
- "traefik.http.routers.traefik-secure.tls.domains[1].main=mydomain.xyz"
- "traefik.http.routers.traefik-secure.tls.domains[1].sans=*.mydomain.xyz"
- "traefik.http.routers.traefik-secure.service=api@internal"
environment:
DOCKER_HOST: dockersocket
CF_DNS_API_TOKEN: mycftoken
restart: unless-stopped
networks:
proxy:
driver: bridge
external: true
fileConfig.yml:
http:
## EXTERNAL ROUTING EXAMPLE - Only use if you want to proxy something manually ##
routers:
# Homeassistant routing example - Remove if not used
## SERVICES EXAMPLE ##
services:
# Homeassistant service example - Remove if not used
## MIDDLEWARES ##
middlewares:
# Only Allow Local networks
local-ipwhitelist:
ipWhiteList:
sourceRange:
- 127.0.0.1/32 # localhost
- 192.168.2.1/24 # LAN Subnet
# Authelia guard
auth:
forwardauth:
address: http://auth:9091/api/verify?rd=https://auth.domain.com/ # replace auth with your authelia container name
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Name
- Remote-Email
# Authelia basic auth guard
auth-basic:
forwardauth:
address: http://auth:9091/api/verify?auth=basic # replace auth with your authelia container name
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Name
- Remote-Email
# Security headers
securityHeaders:
headers:
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
server: ""
X-Forwarded-Proto: "https"
sslProxyHeaders:
X-Forwarded-Proto: https
referrerPolicy: "strict-origin-when-cross-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
customRequestHeaders:
X-Forwarded-Proto: "https"
contentTypeNosniff: true
browserXssFilter: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 63072000
stsPreload: true
# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
traefik.yml:
global:
checkNewVersion: true
sendAnonymousUsage: false
serversTransport:
insecureSkipVerify: true
entryPoints:
#Not used in apps, but redirect everything from HTTP to HTTPS
http:
address: :80
forwardedHeaders:
trustedIPs: &trustedIps
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/12
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
http:
redirections:
entryPoint:
to: https
scheme: https
#HTTPS endpoint, with domain wildcard
https:
address: :443
forwardedHeaders:
# Reuse list of Cloudflare Trusted IP's above for HTTPS requests
trustedIPs: *trustedIps
http:
tls:
# Generate a wildcard domain certificate
certResolver: letsencrypt
domains:
- main: mydomain.xyz
sans:
- '*.mydomain.xyz'
middlewares:
- securityHeaders@file
- auth@file
providers:
providersThrottleDuration: 2s
#File provider for connecting things that are outside of docker / defining middleware
file:
filename: /etc/traefik/fileConfig.yml
watch: true
##Docker provider for connecting all apps that are inside of the docker network
docker:
watch: true
network: proxy # Add Your Docker Network Name Here
# Default host rule to containername.domain.example
defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.mydomain.xyz`)"
swarmModeRefreshSeconds: 15s
exposedByDefault: false
endpoint: "tcp://dockersocket:2375" # Uncomment if you are using docker socket proxy
#Enable traefik ui
api:
dashboard: true
insecure: true
#Log level INFO|DEBUG|ERROR
log:
level: DEBUG
#Use letsencrypt to generate ssl serficiates
certificatesResolvers:
letsencrypt:
acme:
email: myemail@gmail.com
storage: /etc/traefik/acme.json
dnsChallenge:
provider: cloudflare
# Used to make sure the dns challenge is propagated to the rights dns servers
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
My Cloudflare setup
I would start by updating your 2 year old Traefik image to a current version.
Are you actually using a Docker socket proxy? Is it constrained to a Docker Swarm manager node?
Did you create a local.domain.tld entry (zone) with your DNS provider?
What does Traefik debug log, access log and Traefik dashboard tell you?
Compare to simple Traefik Swarm example.